I think I have a related issue to this. I have .properties files with table headings in them. I used to be able to put a br tag <br> in the content of my labels to break two words.
ex. "Cust.<br>Order# " would turn into " Cust. Order# " on my display, now it sends it literally. How do I get the old behavior back? David E Jones wrote: > > Have you been following the discussion on the mailing lists about the > XSS/etc prevention efforts? > > As a general practice when you run into things like this you can > usually find your answer pretty quickly by looking at commit logs, and > by looking at code in OOTB OFBiz that does something similar to what > you are trying to do. In this case, for example looking at the > productdetail screen and the groovy and ftl files that it uses will > give you an example of how to handle this now. > > The important thing to know is that now all String objects are > automatically HTML encoded (using the OWASP ESAPI library). To avoid > it, just use anything other than a String object. The normal way to do > this is to create your script dynamically using a StringBuilder, and > then just leave it as a StringBuilder instead of calling toString() on > it before putting it in the context. Then it won't get HTML encoded... > > On a side note, I know that the OOTB code isn't the best example of > this, but usually it is best to generate your JavaScript in the FTL > file. If you are dynamically generating any sort of text a template > file is usually the best tool to use and results in the cleanest and > easiest to maintain code. > > And as a bonus, you'll avoid this encoding issue too. In fact, part of > the decision to do this general encoding is to encourage the practice > of using templates for what they are meant to be used for. > > Best of luck, > -David > > > On Feb 16, 2009, at 11:06 AM, Eric DE MAULDE wrote: > >> A precision : >> >> *** Error comes from Groovy >> Because I have the problem only with generated Javascript script with >> Groovy. >> >> An idea ? >> >> Thanks >> >> Eric >> ----- Original Message ----- From: "Eric DE MAULDE" <[email protected]> >> To: <[email protected]> >> Sent: Monday, February 16, 2009 6:24 PM >> Subject: Javascript is parsed to HTML (Freemarker ?) >> >> >> Hi, >> >> I updated my working copy >> >> *** Now all javascript are parsed to HTML (and appear in screen, just >> for my own application, Ecommerce is OK) >> Script tags are ok. >> Ex. in source : >> <script language="JavaScript" >> type="text/javascript"><!-- >> Do you know where I can configure Freemarker ? >> >> In HTML head tag, some chars are parsed too. >> >> Eric > > > -- Stephen P Rufle [email protected] H1:480-626-8022 H2:480-802-7173 Yahoo IM: stephen_rufle AOL IM: stephen1rufle
